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Abstract 

Recently, Zou et al. [Phys. Rev. A 82, 042325 (2010)] demonstrated 
that two arbitrated quantum signature (AQS) schemes are not secure, 
because an arbitrator cannot arbitrate the dispute between two users when 
a receiver repudiates the integrity of a signature. By using a public board, 
Zou et al. proposed two AQS schemes to solve the problem. This work 
shows that the same security problem may exist in Zou et al.'s schemes. 
Moreover, a malicious verifier, Bob, can actively negate a signed order if 
he wants to. This attack, a special case of denial-of-service (DoS) attack 
mentioned in [Phys. Rev. Lett. 91, 109801 (2003)], is important in 
quantum cryptography. Bob may get some benefits with this DoS attack, 
since he can actively deny Alice's signed order without being detected. 
This work also shows that a malicious signer can reveal the verifier's secret 
key without being detected by using Trojan-horse attacks. 
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1 Introduction 



The quantum signature, which provides the authenticity and non-repudiation 
of quantum states on an insecure quantum channel |TJ [2], is one of the most 
important topics of research in quantum cryptography. The quantum signature 
can provide unconditional security by exploiting the principles of quantum me- 
chanics, such as the no-cloning theory and measurement uncertainty. Two basic 
properties are required in a quantum signature [T] : 

1. Unforgeability: Neither the signature verifier nor an attacker can forge a 
signature or change the content of a signature. The signature should not 
be reproducible by any other person. 

2. Undeniability: A signatory, Alice, who has sent the signature to the ver- 
ifier. Bob, cannot later deny having provided a signature. Moreover, the 
verifier Bob cannot deny the receipt of a signature. 

The first quantum signature was proposed by Gottesman and Chuang [3J . Sub- 
sequently, a variety of quantum signature schemes have been proposed [I] [Hill [51 
[Sl[71[Hl[ni[ini[ni[Il[H[Ill- Zeng et al. [Ij proposed an arbitrated quantum sig- 
nature (AQS) scheme based on the correlation between Green-Horne-Zeilinger 
(GHZ) states and quantum one-time pads. However, Curty et al. [6J pointed 
out that this AQS scheme [IJ is not clearly described and that the security 
statements claimed by the authors are incorrect. In response [7J, Zeng provided 
a more detailed presentation and proof to Zeng et al.'s original AQS scheme 
[T]. To improve the transmission efficiency and to reduce the implementation 
complexity of [H [7] , Li et al. [S] proposed an AQS scheme using Bell states and 
claimed that their improvements can preserve the merits in the original scheme 

mm- 
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In an AQS scheme, the arbitrator plays a crucial role. When a dispute 
arises between users, the arbitrator should be able to arbitrate the dispute. In 
other words, the arbitrator should be able to solve a dispute when a verifier. 
Bob, repudiates the receipt of a signature or, in particular, when the verifier 
repudiates the integrity of a signature, i.e.. Bob admits receiving a signature 
but denies the correctness of the signature. The latter dispute implies one of 
the following three cases |15| : 

(1) Bob told a lie; 

(2) The signatory Alice sent incorrect information to Bob; 

(3) An eavesdropper Eve disturbed the communications. 

As the arbitrator in [U [71 [S] cannot solve the dispute when Bob claims that 
the verification of a signature is not successful, Zou et al. [T^] considered that 
these schemes are not valid AQS schemes because the security requirement of a 
quantum signature, i.e., undeniability, is not satisfied. 

By using a public board, Zou et al. also proposed two AQS schemes to solve 
the problem. However, this study demonstrates that the same security problem 
may exist in Zou et al.'s schemes. In their schemes, when Bob announces that 
the verification of a signature is not successful, the arbitrator may not be able to 
arbitrate the dispute mentioned above. Moreover, a malicious verifier. Bob, can 
actively negate a signature if he wants to. This attack, a special case of denial-of- 
service (DoS) attack mentioned in [16J, is important in quantum cryptography. 
Bob may get some benefits with this DoS attack, since he can actively deny 
Alice's signature without being detected. In addition, this study attempts to 
demonstrate that a malicious signer, Alice, can reveal Bob's secret key without 
being detected by using Trojan- horse attacks [171 [18] . 
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The rest of this paper is organized as fohows. Section 2 reviews one of Zou 
et al.'s schemes. Section 3 discusses the problems with the scheme. FinaUy, 
Section 4 summarizes the resuh. 

2 Review of Zou et al.'s first signature scheme 

Zou et aL's first AQS scheme [13] is briefly explained in the following scenario. 
Alice, the message signatory, wants to sign a quantum message |P) to a signature 
verifier, Bob, via the assistance of an arbitrator, Trent. Suppose that Alice and 
Bob share a secret key K G {0, f }* and that the quantum message to be signed 
is \P) = |Pi) ® IF2) ® ... ® \Pn), where \K\ > 2n, \Pi) = a, |0) + |f}, and 
1 < i < n. In order to protect the quantum message, the quantum one-time- 
pad encryption Ek |19| and the unitary transformation Mk used in the schemes 
are defined as follows. 

n 

i?K(l^))=(g)<^f^-Vf-|P.), (1) 

i=l 

n 

MKm)=^^^'^^'^'\P^), (2) 
1=1 

where \Pi) and Ki denote the ith bit of \P) and K, respectively, and a-x and 
are the respective Pauli matrices. 

To prevent the integrity of a signature from being repudiated by Bob, Zou 
et al. proposed two AQS schemes: the AQS scheme using Bell states and the 
AQS without using entangled states. In this paper, we only review their AQS 
scheme using Bell states. 

Suppose that Alice wants to sign an n-qubit quantum message \P) to Bob. 
In order to perform the signature, three copies of |P) are necessary. The scheme 
proceeds as follows: 
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Initialization phase: 

Step II. The arbitrator Trent shares the secret keys Ka and Kb with Ahce 
and Bob, respectively, tlirough some unconditionally secure quantum key 
distribution protocols. 

Step /2. Alice generates n Bell states, j^/'i) — (|00)ab + where 
1 < i < n; the subscripts A and B denote the first and second particles of 
the Bell state, respectively. After that, Alice sends all B particles to Bob 
in a secure and authenticated way |20[ I21| . 

Signing phase: 

Step 5*1. Alice chooses a random number r G {00,01, 10, 11}" to encrypt all 
|P)'s, i.e., \P') = Er{\P)). 

Step 5*2. Alice generates \Sa) = Ek^ {\P'))- 

Step S3. Alice combines each with the first particle A of each Bell state. 
Then, each original Bell state becomes a three-particle entangled state, 

\^i)pAB = \Pl)®\i>i)AB = \ 

where |<i>p^) , |$pa) ' |*pa)' ^^"^ I*pa) ^'^'^ f^^^' ^ell states [^ . 

Step 5*4. Alice performs a Bell measurement on each pair \(j)i)pA and ob- 
tains the measurement results \Ma) = (|-^'^A) ' j • ■ • : where 
W\) e . I'J'pa). - . |*pa) J: and 1 < i < n. 

Step S'5. Alice sends jS) = (|P') , IS-^) , |Ma)) to Bob. 

Verification phase: 

Step VI. Bob encrypts \P') and \Sa) with Xp and sends the quantum cipher- 
text \Yb) = Eku {\P') , \Sa)) to Trent. 
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|*Ja) . ("1 11) + Pi |0>) „ + I^pa) - ("1 11) - Pi |0)) „ 



step V2. Trent decrypts \Yb) with Kb and obtains \P') and \Sa)- Next, he 
encrypts |P') with Ka and obtains \St)- If \St) = \Sa) [S, 23J, then Trent 
sets the verification parameter V ^ I; otherwise, he sets V = 0. 

Step V3. Trent recovers |P') from \St)- Then, he encrypts \P') , \Sa), and ^ 
with and sends the quantum ciphertext \Yt) — iW) i \Sa) :V) 

to Bob. 

Step VA. Bob decrypts \Yt) and obtains \P') , |5a), and V. li V ^ 0, Bob 
rejects the signature; otherwise. Bob continues to the next step. 

Step ys. Based on Ahce's measurement results M^, Bob can obtain |P^) from 
the B particles received from the Step 72, according to the principle of 
teleportation [8]. Next, he compares \P'g) with \P'). If \P'g) = |P'), Bob 
informs Alice to publish r and proceeds to the next step; otherwise, he 
rejects the signature. 

Step VQ. Alice publishes r on the public board. 

Step V7 . Bob recovers \P) from \P') by r and holds {\Sa) , r) as Alice's signa- 
ture for the quantum message \P). 

3 Discussion on Zou et al.'s scheme 

This section discusses problems that could arise in Zou et al.'s scheme if pre- 
cautions are not taken. We first present a DoS attack by using undeniability 
dilemma and give an example to show that a verifier can actively negate a 
signature without being detected to get some benefits in his favor. Then, we 
introduce Trojan- horse attacks to Zou et al.'s scheme. 
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3.1 Undeniability dilemma - A Denial-of-service (DoS) at- 
tack 

In Zou et al.'s scheme, the signatory Alice uses a random number r to protect 
the quantum message \P) (i.e., \P') — E,.{\P))) before signing it. After the 
verification by the arbitrator Trent, Bob recovers \P'g) and compares it with |P'}. 
Once Bob informs AUce that \Pg) = \P'), Ahce pubhshes r on the pubhc board, 
which is assumed to be free from being blocked, injected, or altered. Finally, 
Bob recovers \P) from \P') by r and retains {\Sa) ,r) as Alice's signature. 

It appears that if Bob informs Alice to publish r on the public board, then 
he cannot disavow the integrity of the signature. In accordance with this logic, 
Zou et al. considered that the use of the public board can prevent the denial 
attack from Bob. However, if Bob claims that \P'g) ^ \P') in Step V5 before 
requesting the value of r from Alice, then Trent cannot arbitrate the dispute 
between Alice and Bob because one of the following three possible cases may 
occur. 

1. Bob told a lie: In this case. Bob decides to forego the recovery of the 
message \P) due to some reasons; 

2. Alice sent incorrect information to Bob: In Step 53, Alice deliberately 
generated using another message P/^ with P/^ |P/) or generated 
\S) = (|P') , \Sa) , m) with \M'^) ^ \Ma) in Step S5; 

3. Eve disturbed the communication. 

Apparently, when Bob claims that |P^) ^ \P') in this case, Trent cannot solve 
the dispute. Hence, Bob can perform the DoS attack by negating the signature 
from Alice without being detected. Furthermore, as also pointed out in [15) . 
Alice is able to publish an arbitrary value r' r) such that the oringinal signa- 
ture cannot be verified successfully by Bob, which is also contradictory to the 
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undeniable requirement of a signature scheme. 

This problem could be serious if the signature occurs in an electronic order 
system, where Alice is a buyer and Bob, a company. Bob is able to negate a 
signed order from Alice if the current market situation is not in his favor. In 
such a case, it does not matter whether Bob can obtain the value r to recover 
the signed order from Alice, because Bob knows that due to the order, he will 
lose a fortune. Similarly, by controlling the value of r, Alice is also able to select 
a situation favorable to her for completing the signature process. 

The same dilemma may occur in Zou et al.'s second AQS scheme. 

3.2 Trojan-horse attacks 

In Zou et al.'s scheme, there are two transmissions of the same quantum signals, 
first from Alice to Bob and then from Bob to Trent. Therefore, the malicious 
Alice can reveal Bob's secret key without being detected by using Trojan-horse 
attacks pnil8| . As pointed out in [5], there are two ways to use Trojan- horse at- 
tacks: invisible photon eavesdropping (IPE)[17| and delay photon eavesdropping 
[18j . Here, we discuss the IPE attack on Zou et al.'s scheme and demonstrate 
that Alice can obtain Bob's secret key without being detected. It should be 
noted that Alice can also use the delay photon eavesdropping to reveal Bob's 
secret key in the same way. 

In order to reveal Bob's secret key Kb, Alice can use the IPE attack on the 
communications in Step S5 and Step as follows: 



Step S5a. Alice first prepares a set of eavesdropping states, 6 < -i= (|00) -f 



the first and second photons, respectively, in D\ 1 < i < n. For each 
state in \P') (or IS'a)), Alice inserts d\ as an invisible photon to that state 



and forms a new sequence \P')'^^ {\Sa)'^^)- Next, Alice sends jS')''^ = 




as invisible photons, where the subscripts d\ and d| represent 
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(iP'f , \Sa) , \Ma)) to Bob. 

Step Via. Bob encrypts jP')'*^ and \Sa) with Kb and sends the quantum ci- 
phertext lYsf'' = S/f^ d-P')'^' > I'S'a)) to Trent. Before Trent receives the 
quantum ciphertext \Yb)'^^' , Alice captures dy from \Yb)'^^' and measures 
(ii'C?2 together with the Bell measurement. According to the measurement 
result of d\,d2j Alice can obtain Bob's secret key K^^^'^^. 

It should be noted that Alice can similarly use the process mentioned above to 
obtain Bob's secret key Kbt in Zou et al.'s second AQS scheme. Since both 
schemes are susceptible to Trojan-horse attacks, Bob can deny having verified 
a signature. 

To prevent the scheme from Trojan-horse attacks, it is well-know that two 
additional devices, a wavelength filter and a photon number splitter (PNS) can 
be added to the protocol. By letting the received photons pass through both 
devices, the photons with difi'erent wavelength or the delay photons will not 
exist or will be detected [MHT5] . 

4 Conclusions 

This paper has pointed out security flaws in Zou et al.'s AQS schemes, in which 
Trent cannot arbitrate a dispute between Alice and Bob when Bob claims a 
failure in the signature verification phase. Besides, a malicious verifier. Bob, can 
actively negate a signed order from Alice without being detected to get some 
benefits in his favor. In addition, we demonstrate that a malicious signatory 
can reveal the verifier's secret key by launching Trojan-horse attacks on Zou et 
al.'s AQS scheme. How to design an AQS scheme without the DoS attack and 
how to construct an AQS scheme free from Trojan-horse attacks without using 
any hardware device will be an interesting future research. 
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